By Jeremy Kaplan, ,
Published October 22, 2015
"The ZeuS compromise" may sound like a great movie, but it's actually a newly uncovered, massive hacking network -- and it's a doozy, affecting more than 74,000 PCs in 2,400 business and government systems around the world. And it's still up and running.
But worse, the security analysts who detected the underground network believe the criminals behind it aren't even after money. Instead they have built a secret underground network to rent out to gangs, cybercrooks -- and even rogue governments. Here's what you need to know.
Botnet: A collection of software robots, or bots, that run autonomously and often maliciously.
ZeuS: ZeuS is a trojan horse, a botnet system designed to steal information from an infected computer. It records specific, targeted keystrokes of the infected computer and relays them to remote computers.
Kneber: Kneber uses the internal name "BTN1," the default name given to ZeuS botnets. NetWitness has called it "Kneber" after the username linking the infected systems worldwide.
Waledac: Waledac is a peer to peer spamming botnet often used to deliver additional malware to PCs. According to NetWitness, Waledac can reinstall Kneber and vice versa.
Size of Botnet: By counting unique IDs assigned to the botnet, NetWitness estimates that 764,126 computers have been compromised at 2,411 companies.
Age of Botnet: The campaign has been running for nearly a year and is still active. Initial reports from NetWitness tie the origin of the network to 25 March, 2009.
Origin of Attack: By associating domain names with IP address, NetWitness was able to tie the attack to a global network of servers, with a clear focus on Chinese IP addresses.
Type of PC Infected: The ZeuS bot is purpose-built to infect the Microsoft Windows operating system, notes NetWitness. The top five versions of Windows infected: XP Pro SP2, XP Pro SP3, XP Home SP3, XP Home SP2, Vista Home SP2
Information Stolen: NetWitness discovered over 68,000 stolen credentials during a 4-week period. The top 6 credentials stolen: netlog.com, sonico.com, metroflog.com, hi5.com, yahoo.com, facebook.com.